Re: [Cryptography] Broken RNG renders gov't-issued smartcards easily hackable.
On Oct 13, 2013, at 1:04 PM, Ray Dillinger wrote: >>> This is despite meeting (for some inscrutable definition of "meeting") >>> FIPS 140-2 Level 2 and Common Criteria standards. These standards >>> require steps that were clearly not done here. Yet, validation >>> certificates were issued. > >> This is a misunderstanding of the CC certification and FIPS validation >> processes: > >> the certificates were issued *under the condition* that the software/system >> built on it uses/implements the RNG tests mandated. The software didn't, >> invalidating the results of the certifications. > > Either way, it boils down to "tests were supposed to be done or conditions > were supposed to be met, and producing the darn cards with those > certifications > asserted amounts to stating outright that they were, and yet they were not." > > All you're saying here is that the certifying agencies are not the ones > stating outright that the tests were done. How could they? The certification has to stop at some point; it can't trace the systems all the way to end users. What was certified as a box that would work a certain way given certain conditions. The box was used in a different way. Why is it surprising that the certification was useless? Let's consider a simple encryption box: Key goes in top, cleartext goes in left; ciphertext comes out right. There's an implicit assumption that you don't simply discard the ciphertext and send the plaintext on to the next subsystem in line. No certification can possibly check that; or that, say, you don't post all your keys on your website immediately after generating them. > I can accept that, but it does > not change the situation or result, except perhaps in terms of the placement > of blame. I *still* hope they bill the people responsible for doing the tests > on the first generation of cards for the cost of their replacement. That depends on what they were supposed to test, and whether they did test that correctly. A FIPS/Common Criteria Certification is handed a "box" implementing the protocol and a whole bunch of paperwork describing how it's designed, how it works internally, and how it's intended to be used. If it passes, what passes it the exact design certified, used as described. There are way too many possible system built out of certified modules for it to be reasonable to expect the certification to encompass them all. I will remark that, having been involved in one certification effort, I think they offer little, especially for software - they get at some reasonable issues for hardware designs. Still, we don't currently have much of anything better. Hundreds of eyeballs may have been on the Linux code, but we still ended up fielding a system with a completely crippled RNG and not noticing for months. Still, if you expect the impossible from a process, you make any improvement impossible. Formal verification, where possible, can be very powerful - but it will also have to focus on some well-defined subsystem, and all the effort will be "wasted" if the subsystem is used in a way that doesn't meet the necessary constraints. -- Jerry ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Broken RNG renders gov't-issued smartcards easily hackable.
On 10/11/2013 11:23 AM, Wouter Slegers wrote: > Dear Ray, > > On 2013-10-11, at 19:38 , Ray Dillinger wrote: >> This is despite meeting (for some inscrutable definition of "meeting") >> FIPS 140-2 Level 2 and Common Criteria standards. These standards >> require steps that were clearly not done here. Yet, validation >> certificates were issued. > This is a misunderstanding of the CC certification and FIPS validation > processes: > the certificates were issued *under the condition* that the software/system > built on it uses/implements the RNG tests mandated. The software didn't, > invalidating the results of the certifications. Either way, it boils down to "tests were supposed to be done or conditions were supposed to be met, and producing the darn cards with those certifications asserted amounts to stating outright that they were, and yet they were not." All you're saying here is that the certifying agencies are not the ones stating outright that the tests were done. I can accept that, but it does not change the situation or result, except perhaps in terms of the placement of blame. I *still* hope they bill the people responsible for doing the tests on the first generation of cards for the cost of their replacement. Bear ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Broken RNG renders gov't-issued smartcards easily hackable.
Dear Ray, On 2013-10-11, at 19:38 , Ray Dillinger wrote: > This is despite meeting (for some inscrutable definition of "meeting") > FIPS 140-2 Level 2 and Common Criteria standards. These standards > require steps that were clearly not done here. Yet, validation > certificates were issued. This is a misunderstanding of the CC certification and FIPS validation processes: the certificates were issued *under the condition* that the software/system built on it uses/implements the RNG tests mandated. The software didn't, invalidating the results of the certifications. At best the mandatory guidance is there because it was too difficult to prove that the smart card meets the criteria without it (typical example in the OS world: the administrator is assumed to be trusted, the typical example in smart card hardware: do the RNG tests!). At worst the mandatory guidance is there because without it, the smart card would not have met the criteria (i.e. without following the guidance there is a vulnerability) This is an example of the latter case. Most likely the software also hasn't implement the other requirements, leaving it somewhat to very vulnerable to the standard smart card attack such as side channel analysis and perturbation. If the total (the smart card + software) would have been CC certified, this would have been checked as part of the composite certification. (I've been in the smart card CC world for more than a decade. This kind of misunderstanding/misapplication is rare for the financial world thanks to EMVco, i.e. the credit card companies. It is also rare for European government organisations, as they know to contact the Dutch/French/German/UK agencies involved in these things. European ePassports for example are generally certified for the whole thing and a mistake in those of this order would be ... surprising and cause for some intense discussion in the smart card certification community. Newer parties into the smart card world tend to have to relearn the lessons again and again it seems.) With kind regards, Wouter Slegers ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
[Cryptography] Broken RNG renders gov't-issued smartcards easily hackable.
Saw this on Arstechnica today and thought I'd pass along the link. http://arstechnica.com/security/2013/09/fatal-crypto-flaw-in-some-government-certified-smartcards-makes-forgery-a-snap/2/ More detailed version of the story available at: https://factorable.net/paper.html Short version: Taiwanese Government issued smartcards to citizens. Each has a 1024 bit RSA key. The keys were created using a borked RNG. It turns out many of the keys are broken, easily factored, or have factors in common, and up to 0.4% of these cards in fact provide no encryption whatsoever (RSA keys are flat out invalid, and there is a fallback to unencrypted operation). This is despite meeting (for some inscrutable definition of "meeting") FIPS 140-2 Level 2 and Common Criteria standards. These standards require steps that were clearly not done here. Yet, validation certificates were issued. Taiwan is now in the process of issuing a new generation of smartcards; I hope they send the clowns who were supposed to test the first generation a bill for that. Bear ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
